Re: TCP SYNSENT Timeout [7:66178]
I don't know any Java but standard UNIX sockets allow a non-blocking connect. Thus you don't care what the underlying stack is doing, you just time-out at the application layer. rgds Marc John Neiberger wrote: One of our programmers is asking me about this and I really don't have an answer. I've checked RFC 793 and haven't spotted the answer yet. Is there a default time specified in TCP to remain in the SYN SENT state? If a device sends a SYN and doesn't receive a response, is the timeout a built-in TCP parameter or is that a function of the application or operating system? I'm starting to think that this is specific to the operating system, but we have a need to make it specific to a certain connection without affecting all TCP connections. To be specific, they're writing something in Java 1.3.1 (I think) and it doesn't have the capability to tweak TCP parameters. For a particular set of connections they'd like the timeout to be 10 seconds, but it seems to be defaulting to 45. They tell me that if we were using Java 1.4 they'd be able to adjust these parameters, which makes me think this is an application or OS-specific parameter and is only relevant to a particular TCP implementation and could vary from platform to platform. Any thoughts on this? Many thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66286t=66178 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Upgrading IOS with new flash on my 2500's [7:65472]
Bill, I've just done four this evening, I used the technique shown here: http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800941aa.shtml or http://www.cisco.com/warp/public/471/13.pdf rgds Marc Scott Roberts wrote: I can honestly say that I've never upgraded my IOS's by console cable. I didn't even know that the 2500 supported that, I only thought that it was the 3600 that supported transfer over the console cable? has anyone done a console cable transfer with a 2500? william, you can do your upgrade in one of two ways, put the new flash into the secondary flash bank and tftp copy to the second flash partition or you can boot to the rom boot-helper with your new flash in the first bank and then tftp. another possibility i suppose you could do is have enough dram memory and do a network boot and then do a tftp copy to the flash. scott Clements, William (Bill) wrote in message news:[EMAIL PROTECTED] All, I recently bought some new flash for my 2500's and would like to know if there is an easier way to upload the newest IOS, other than with the console cable. Thanks, Bill Clements MCSE, CCNP Network Engineer INS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65690t=65472 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What is a distributed/collapsed backbone? [7:65225]
Thanks for all the replies, I haven't yet looked at Priscilla's Top Down but probably will. I have found the official guides useful in the past since they often come up with some unusual and Cisco-centric ideas, which you need to know for the exams. rgds Marc aletoledo wrote: she was too modest to mention it, but you're best bet for a design education is from Priscillas book. its well worth twice the price (twice the discounted bookpool price that is!! ;)). scott Marc Thach Xuan Ky wrote in message news:[EMAIL PROTECTED] Hi all, I thought I'd do 640-025 CID before it disappears, so I started reading the Ciscopress book, CID exam certification guide. Now in chapter 2, section Issues facing campus LAN designers (I'm using Safari books online so I don't know the page number) it shows figs 2.4 and 2.5 distributed and collapsed backbones respectively. The distributed backbone shows per floor, one router and one switch, the collapsed backbone shows a single router for the building fanning out to one switch per floor. Fair enough I guess, but the scenario 1, Q2 in the same chapter asks what backbone to use in a particular case and then answers it with distributed backbone and a picture fig 2.8 that looks rather like the collapsed backbone shown earlier. I obviously have to learn Ciscospeak for the exam so can anybody tell me, which is it? rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65368t=65225 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
What is a distributed/collapsed backbone? [7:65225]
Hi all, I thought I'd do 640-025 CID before it disappears, so I started reading the Ciscopress book, CID exam certification guide. Now in chapter 2, section Issues facing campus LAN designers (I'm using Safari books online so I don't know the page number) it shows figs 2.4 and 2.5 distributed and collapsed backbones respectively. The distributed backbone shows per floor, one router and one switch, the collapsed backbone shows a single router for the building fanning out to one switch per floor. Fair enough I guess, but the scenario 1, Q2 in the same chapter asks what backbone to use in a particular case and then answers it with distributed backbone and a picture fig 2.8 that looks rather like the collapsed backbone shown earlier. I obviously have to learn Ciscospeak for the exam so can anybody tell me, which is it? rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65225t=65225 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: kbit vs. Kbit kByte vs. KByte (was BW Calc) [7:65211]
This is all very well but sometimes when people write 500 they really mean 512, so where does that leave you ?8-) Marc s vermill wrote: Here's a perfectly illustrative example of how common it is to jumble all this terminology up... I often use a download test site at PC Pitstop: http://www.pcpitstop.com/internet/Bandwidth.asp I ran a quick download test that transferred a 500 KB block of text to my machine. It took 2.744 seconds to complete. Thus, the result was returned as 1458 Kb/s. Here's the math: (assuming decimal) 500 * 1000 * 8 = 4,000,000 bits / 2.77 seconds = ~1,458,000 bits/sec = ~1458 decimal kbits/sec or ~1423 binary Kbits/sec Now... (assuming binary) 500 * 1024 * 8 = 4,096,000 bits / 2.77 seconds = ~1,478,000 bits/sec = ~1478 decimal kbits/sec or ~1443 binary Kbits/sec So, in spite of the fact that they are using the binary upper-case K throughout, they are obviously meaning the decimal lower-case k, which makes sense given that throughput is expressed that way. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65236t=65211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question concerning a new 2501 router in home lab [7:64170]
When you run your hand across the keyboard, do you touch it or is this a psychic thing :-) I'd check the parity on your terminal. It may be setting the wrong parity for the router but ignoring incorrect received parity. Marc Jim wrote: I recently acquired a used 2501 router for my home lab that is booting with no problem. There is no configuration so it asks if you want to auto config. I try to enter an N at this point and get nothing it seems as if the keystroke is not seen by the router. If I just run my hand across the keyboard the router responds with enter a yes or no to continue. Any suggestions to assist is greatly appreciated. Jim Valentine Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64181t=64170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help,token ring connection without mau [7:61954]
Not to mention that a TR card goes through a lobe test before attempting insertion into the ring. The lobe test is effectively a loopback at the MAU, a crossover cannot do this. rgds Marc Priscilla Oppenheimer wrote: ha wrote: hi can 2 token ring interface direct connected with a crcoss cable.i've carefully read the pinout at CCO and make sure it's right,but it did not work. must i buy a MAU to let them work correctly? thanks for your help Token Ring uses an active repeater, i.e. a MAU. A NIC sends to its downstream neighbor and receives from its upstream neighbor. For this to happen, a relay, i.e. a MAU, must relay the bits. A MAU is basically a set of relays. Well, that's a convoluted way to say you need a MAU. You can probably get one really cheap on e-Bay. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62003t=61954 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT [7:60784]
Dwayne, it's most likely that any NAT implementation would overwrite the header data that it wishes to change, rather than rewrites the header in its entirety. Of course the end result would look the same when you view the packet, however you can recalculate the checksum from the old and new IP addresses without reading the entire packet, so that's a gain for not using the full header creation code. Note though that some protocols which don't pass well through NAT are handled by an ALG (Application Level Gateway), and these modules will rewrite the IP data. Now if I were coding an ALG I'd certainly create the entire header for scratch, and I might need to do the same with the data. Think of an FTP ALG for example. Here the length of the data may be changed, in particular it may grow. The buffer that is currently allocated for the packet may not have room to grow, so in that case, you'd need to copy the data into a larger buffer probably as you parse and alter the data. rgds Marc Dwayne Saunders wrote: Hi all, Was just wondering if any one could put me on to a good link in regards NAT and packet headers, simply what I am trying to find out is the packet header total rewritten or just the ip address part of the header and checksum, Or is a new header written to envelope the original header. Or does each application do it differently. Any help would be great. Regards D'Wayne Saunders Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60802t=60784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNA/CCNP home Lab setup [7:60727]
I've found that it's useful to have a variety of kit, and as many routers as possible. Cisco prices on eBay have fallen through the floor. A 4000 series with NP-4Ts is a good frame switch. 2500 are good workhorses, best to get one with an ISDN BRI (I didn't and regretted it). Once you have a couple of ethernet-based routers, don't discount token-ring 2500s if they are cheap or any 3000 series router. 3000s are ludicrously cheap at the moment and can run 2500 IOS 12.0 images. Don't buy multiple 2600s unless you're rich. Two 12-port switches allows better practise that one 24-port. rgds Marc McManus, Robert BGI SDC wrote: Could someone give me advice on what I would need (models) for a home lab setup for my CCNA/CCNP training? Any advice would be appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60804t=60727 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing NAT [7:60663]
Doug, I used the term horrible kludge several hours before I saw your post. The multiple NAT pool kludge is horrible because it is neither scalable nor maintenance-free, nor does it include any dynamic distribution of load across the resultant multiple (outside local) addresses in use. It almost removes the requirement for the load-balancing part of the load-balancers, leaving them with server failover tasks only. As I stated in my post, I'd be looking for a different form of sticky (or a different NAT device). rgds Marc Doug S wrote: I liked the comment and definitely agree that some of the authors of Cisco training material should be named and publicly humiliated, although the sheer volume of mistakes could make this a somewhat overwhelming task for the public doing the humiliating. Still, I want to add my opinion that Cisco documentation and training material is of a lot higher quality a lot of what's out there, not to name names like MS Press or anything. The reason I blindly accepted and posted that particular quote is because it DOES match my personal experience, which, I admit is considerably less than the other posters in this thread. The only experience I have is in a lab on 2500's and 2600's running something around IOS 12.1(T). I also want to point of that this behavior of only overloading the first address in the pool sounds like exactly what the original poster is experiencing. The fact that Emilia's and my experience contradicts Peter's and TLaWR makes me think that there are differences in how this works on different platforms, as TJ suggests. I'd also like to hear people's opinions on why my solution is a horrible kludge, as opposed to just a plain old vanilla kludge. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60858t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing NAT [7:60663]
IIRC when I last looked at this, it worked as you require, but that might have been v2 NAT rather than v3 which is current. Have you restarted the router, superstition dictates that you should. Failing this, how many app servers are there? You *could* use multiple NAT pools, which would admittedly be a horrible kludge, depends on how desperately you want this. Is there not a better way of using sticky on the load-balancers? Are you in a position to change the app to use cookies for example? or maybe persistent connections so the LBs aren't responsible for sticky? rgds Marc Emilia Lambros wrote: I'm looking more for a way to play with how the nat pool I have behaves with IP address use. The NAT config and translations are all working, however I can't find a situation online that shows me how I can force translations to not overload quite so much, or how I can make more IP addresses be used so my load balancing works with sticky sessions set. For as long as only 1 IP is being used, all connections to the application servers go to one application server. Even with 2 IPs being used, I would have more of a chance of connections going to the 2nd application server to create some load balancing but as I said, I'm sitting on 8500 connections and 1 IP being used. I know in theory I can go up to 65K+ connections on that 1 IP, but I would prefer more like a couple of hundred per IP. The majority of articles I've read show how to configure, say rotary pools or tcp load distribution but not examples of how you can use it another way that I could perhaps, adapt. As I said though, I can't play with the config because its a live environment so its a little harder to play and test with, without a guarantee that it will work :) -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Thursday, 9 January 2003 11:24 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing NAT [7:60663] if you have a CCO customer account, there are a lot of articles in the TAC database this one is a good start, I believe. http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 9186a0080093fca.shtml watch the wrap. HTH -- TANSTAAFL there ain't no such thing as a free lunch Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I have an application being load balanced at one site (sticky sessions set such that each connection from 1 IP will continue its transactions to the same server it started on) and at another site, the users accessing the load balanced application. The users come in from different office locations across private WAN links, nat inside is on each of their interfaces and on each interface out of the router those WAN links connect to, is nat outside. I have changed their initial configuration based on NAT overload to an interface IP address to be a pool of addresses overloaded. I was hoping that the connections would spill over to the second IP in the pool at some stage sooner than the 8500 NAT connections I have currently, but no go. I may as well have NAT'd to 1 IP again :) Is there a way to overload NAT, but have it using more than 1 IP in the pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to even round robin the use of IPs out of the pool but I can't play with the config to try it (live environment) and can't find any documentation online explaining exactly what I need NAT to do/not do :( Thanks, Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60693t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Slightly OT - but important [7:60687]
This is hardly earth-shattering news. You can see this happening every time you sniff a LAN. Empty TCP segments (e.g. acks) with six bytes of random data. The only thing the report points out is that the data may previously have been used on another interface or it may be other non-network data, although I suspect that the latter is highly unlikely since NIC ring buffers would generally be pre-allocated early on in the driver initialisation code. I could be wrong but I would expect a NIC driver to block or drop if the TX or RX ring was full, rather than try and get a new buffer allocated. Where the random data is network data... well on shared media you should assume it's already been sniffed anyway, that's what ssh is for :-) Gotta go now, I've got a CCNP exam in an hour, wish me luck. rgds Marc The Long and Winding Road wrote: saw this one come through today. I checked the link down at the bottom of the page. I thought it quite interesting that Cisco and Microsoft are noted as not vulnerable while just about every *nix out there is listed as unknown One sad note - my firewall of choice is shown as unknown also. I am presuming that testing is still going on with all these other products. unknown may not necessarily mean vulnerable --- *CERT WARNS OF POTENTIALLY WIDESPREAD VULNERABILITY By SWD Staff The Computer Emergency Response Team (CERT) Monday warned of a vulnerability affecting Ethernet device driver software running on multiple platforms that could allow a remote attacker to harvest potentially sensitive information from network traffic. A research paper by information security firm @stake says, Multiple platform Ethernet Network Interface Card (NIC) device drivers incorrectly handle frame padding, allowing an attacker to view slices of previously transmitted packets or portions of kernel memory. This vulnerability is the result of incorrect implementations of RFC requirements and poor programming practices, the combination of which results in several variations of this information leakage vulnerability. It is trivial to exploit and has potentially devastating consequences. Several different variants of this implementation flaw result in this vulnerability, @stake continues. The number of affected systems is staggering, and the number of vulnerable systems used as critical network infrastructure is terrifying. CERT recommends applying patches as soon as they are available and using encryption to protect network traffic, though it won't protect sensitive information leaked from non-network sources, such as kernel memory. For an updated list of affected vendors, please consult the CERT vulnerability note. http://www.kb.cert.org/vuls/id/412115 http:[EMAIL PROTECTED]/research/advisories/2003/index.html#010603-1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60695t=60687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: virtual labs [7:60700]
I have used the Sybex virtual trainer, which was OK for Routing but not so helpful for BCRAN. I haven't used the other two subjects yet. You should note that it is designed to accompany the Sybex books, so if you are not buying those then it is less helpful. If you are cash-strapped and want a couple of routers to practise with, then 3000 series are very cheap on eBay. I have seen these running IOS 12.0 2500 images, you'll probably need to upgrade the flash/RAM. If you're unemployed, don't try to pass well, try to pass quickly. Good luck. rgds Marc reddyred wrote: Has anyone found any cheap, USEFUL virtual labs for the CCNP track. I'm currently an unemployed CCNA and don't have $1,000 bucks for online labs nor equipment Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60712t=60700 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 2501 dot1q encapsulation ? [7:60699]
I've just configured dot1q on a 4500 with NP6E and IOS 12.2, I haven't tested whether its working. rgds Marc Francisco Sedano/Inf-Pronet wrote: 4000? Could you expand on it? Which model/IOS? I have a plain 4000 with 12.1(11) and it doesn't support it.. cebuano Enviado por: [EMAIL PROTECTED] 09/01/2003 22:04 Por favor, responda a cebuano Para: [EMAIL PROTECTED] cc: Asunto: RE: Cisco 2501 dot1q encapsulation ? [7:60699] This is possible with certain models of the 2600 series, and the cheapest router to support this with 10Mb Ethernet is the 4000 series. HTH. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Larry Letterman Sent: Thursday, January 09, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: RE: Cisco 2501 dot1q encapsulation ? [7:60699] I dont believe so either, since they only support a 10BT ethernet connection... Larry Letterman Network Engineer San Jose Transport Cisco Systems Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Neiberger Sent: Thursday, January 09, 2003 7:43 AM To: [EMAIL PROTECTED] Subject: Re: Cisco 2501 dot1q encapsulation ? [7:60699] I don't believe that any of the 2500 series routers support trunking of any variety. If I'm wrong someone will surely correct me. John Thomas Muller 1/9/03 8:21:59 AM Hi, I've tried to configure dot1q on the LAN interface on my Cisco 2501 running 12.2 (IP Plus) but it doesn't seem to know the encapsulation dot1q command. Does anyone know if the 2500 series supports dot1q ? Thanks, Thomas [EMAIL PROTECTED] -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f|r 1 ct/ Min. surfen! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60767t=60699 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: fragmentation question [7:60643]
MTU 1500 means that the network layer datagram size is 1500 max. For IP this is the IP datagram including IP header and transport (TCP/UDP) header and data. Fragmentation occurs at the IP level and only the IP header is duplicated (except offset, checksum etc) into each fragment. The TCP/UDP headers are merely the first part of the data as far as IP is concerned and are therefore left untouched. HTH Marc Paul Dong So wrote: Hi All, Please shed a light on this as I am confused. Fragmentation for UDP/TCP: * Only the first fragment contains the UDP or TCP header, not the sequencial fragments? Fragementation for IP packets * every fragmented packet will contains ip header? MTU 1500 bytes, doesn't it mean the data payload can not exceed 1500 bytes or the whole packet size(payload+header) can not exceed 1500 bytes? Thanks in advance Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60653t=60643 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS process scheduler algorithm [7:60206]
Thanks Mark, I get it now I think. I was envisaging processes remaining in the queue and a pointer selecting each in turn. In fact of course, because it's not a pre-emptive OS, this doesn't occur, the processes are removed (as in fact stated in the book) and put on either the idle or dead queue. Also I was envisaging an equal number of processes in each queue whereas after further consideration I would guess that most processes are high or medium. thanks again, Marc Vicuna, Mark wrote: Nope - From step 34 in the book. There are no counters for critical and high priority queues either. The 'failsafe' for servicing the medium priority is when all the processes in the critical and high ready queues have been executed or when a medium priority instance is found when servicing the low priority queue (intervleave) - all the medium processes will be executed. The scheduler will not service the low priority queue within 15 times of skipping the low queue - and even then, if the scheduler is executing low priority instances it will still service a medium (or critical or high) process if one is found in the ready queue. hth, Mark. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60365t=60206 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - More Bitching about Cisco's New Web Site [7:60308]
Well I thought the site was very slow - until I realised I'd stuck a clock rate 64000 on my frameswitch router so that I could see some queueing :-) I now go straight for the search button, but there are some horrors in there. There seem to be more pdfs as well which is good, but then sometimes there is only a pdf. Theres a bit under technologies where I burrowed down through QoS, congestion management, through queuing and then to WFQ to find a short paragraph telling me what it was. I'd really wanted a white paper detailing algorithms! I'm sure I'll crack it sometime. rgds Marc The Long and Winding Road wrote: Is it just me? More broken links? Harder to find the everyday tools? lower - a LOT slower - navigating around? Seems like just about every day I'm filling out one of those feedback forms to report a problem. assuming I've found the basic page I'm looking for anyway. For example - check out the links on this page. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r /iprprt2/index.htm watch the wrap and whatever happened to the tool index? It was no fun searching for the Software Advisor and the IOS Upgrade Planner this morning. grumble grumble grumble -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60308t=60308 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IOS process scheduler algorithm [7:60206]
Hi all, I am reading Cisco Press Inside Cisco IOS Software Architecture and have some outstanding questions about the scheduler, maybe somebody can help me. The text describes how the low priority queue is only skipped 15 times before it is serviced even when there are processes queuing at higher priorities. Does this count up to 15 include the times that both medium and low priority queues are skipped? There seems to be no similar counter for the medium queue, am I correct then in assuming that the only failsafe servicing of the medium priority queue is acheived via the interleaving occuring during failsafe servicing of the low priority queue, which would imply the answer to the first question? rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60206t=60206 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco career advice needed [7:60013]
In the last place I worked, rumour has it that one of my colleagues was interviewed and thus obtained a UK visa on the basis of his CCIE, and this later turned out to be written only. HR departments / technical management aren't always as rigorous as you may think :-) If this is true then I think you could definitely say that it can be of benefit. rgds Marc Frank Jimenez wrote: Where I *have* seen it helpful is in specific cases where a company was anticipating needing a CCIE-level applicant at a future date. So the following: CCIE Routing/Switching - Lab Scheduled 6/2003 Might be helpful. The CCIE written qualification alone hasn't helped anybody that I know of. Frank Jimenez, CCIE #5738 Systems Engineer Cisco Systems, Inc. [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of irfan siddiqui Sent: Tuesday, December 31, 2002 3:23 AM To: [EMAIL PROTECTED] Subject: Cisco career advice needed [7:60013] Hi, Does the CCIE qualification exam itself have any worth. I know that your not a CCIE without giving the actual Lab part of the exam, but how does the CCIE written exam scale on its own, career wise. Does it help improve job prospects. What are the benefits of this exam on its own, or is it totally useless without the LAB part. Say if i never appear for the LAB, for any reason, would the written exam be any worth of mention, like say on my resume or as a credential. Thanks for all your advice in advance. Irfan _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60224t=60013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Vs. BS or MS degree [7:59481]
Thomas Larus wrote: snip As for nrf, - his contributions to groupstudy have been almost entirely negative. While it is helpful to have some discussion of things like the job market and the question of whether it is better to invest time and effort in a degree versus certification is useful, constantly chiming in with negative thoughts and assessments is not very helpful. This is something of a support group, and in these difficult times, those of us who have already set out to achieve certification goals need encouragement and technical advice. I have recently strongly disagreed with nrf, but I do not find him negative as you suggest. I think it's a shame if people cannot contribute without being personally attacked in such a generalised manner. I do not know if nrf is one of these people (he could just be negative for no particular reason), there are some people who come to these discussion groups to discourage others from pursuing dreams the achievement of which might bring about a greater number of certified IT professionals and perhaps exert downward pressure on salaries. I don't know nrf personally but I doubt that he's that influential. Anybody who gets put off the cert process by reading a discouraging viewpoint on this list probably doesn't have the mettle to see it through anyway. rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60271t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Test for MCast...Any?? [7:58269]
Hi Phil, I came across this link and thought it might be useful to you. http://www.videolan.org/ rgds Marc Cisco Nuts wrote: Hello,Is there a way to test/practise MCast configs. on the Internet? I have a cable-modem connected to a 2514 router and would like to configure MCast on it as well as my Lab routers behind that for PIM-SM. I have a laptop connected as a client to one of the routers. How can I verify that MCast is working on the laptop? I mean, is there a freeware/shareware application that I can install on my laptop to test (since I cannot obviously have IP/TV client on my laptop).Or is there any other way to do it in the Lab routers themselves.Any basic configs/examples provided is greatfully appreciated.Thank you for your help.Sincerely,CN MSN 8 with e-mail virus protection service: 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59472t=58269 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic but interesting - RS networking future? [7:59376]
A few points: When I was fresh in the IT industry (over 20 years ago) the old-timers who had been working maybe four years already would tell me that there was no future in programming, after all they said, who uses a chauffeur now that cars are so easy to drive? Cars need very little maintenance now, there are still plenty of mechanics because there are more cars. Phone companies still employ a lot of telephone engineers, large corporates often have on-site telephone staff. There are more phone companies now. Voice is a commodity. Here in London during the 80's property boom, electricians and plumbers on the large contracts were being paid a lot more than any network engineer I heard of at the time. rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59376t=59376 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic but interesting - RS networking future? [7:59402]
nrf wrote: I would just add that many times (actually, more often than not, predictions actually turn out to be correct). We could trade predictions forever :-) What about the bloke who said nobody will ever need more than 640k RAM? He still got rich. And even for those jobs that didn't decline, there was significant change in what they did. Mechanics can't just know how to fix carburetors, now they have to understand fuel-injection. Definitely. Janitors now use vacuum-cleaners as well as brooms. Telephone operators now use keyboards, not patchcords. Networkers will need to know more than just layers 2 and 3. But there will be a continued demand for R/S as part of the networkers job. Another point is that bandwidth is not necessarily cheap all over the world, Europe is more expensive than the US, and Asia even worse, so engineering is required, in fact surely traffic engineering is all the rage at the moment. I guess what I want to say is that when an economy is booming, people unrealistically believe it's forever and they will be millionaires by next June. Conversely when the economy is in a trough then people get gloomy and believe that they'll never pay off their credit card bills. Neither view is realistic. R/S is not dead, it's sleeping and will wake up. Granted there will not be the insane rush into network builds that we saw a few years ago but the wireless boom is around the corner rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59402t=59402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Perhaps O/T: Window TCP Rcv Window [7:59400]
Are you trying to make the window smaller? rgds Marc s vermill wrote: On a W2k machine, I've tried several different recommendations for adjusting the TCP receive window size. None of them, including those directly from Microsoft, seem to have any impact. I'm capturing my own traffic and my advertised window is always in the 64k range. I've tried editing the \tcpip\parameters to include 'TcpWindowSize' and 'GlobalMaxTcpWindowSize' - neither of which had any effect. I've tried editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no effect. Anyone know how to manipulate the rcv window that my machine will advertise. For that matter, what about the other MS OSes? XP? Win98? Thanks all, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59405t=59400 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Perhaps O/T: Window TCP Rcv Window [7:59400]
Scott, A clue from this webpage: http://www.psc.edu/networking/perf_tune.html Describing Win98 it says DefaultRcvWindow is a string type and the value describes the default receive windowsize for the TCP stack. Otherwise the windowsize has to be programmed in apps with setsockopt. Perhaps the app is setting it differently. It also seems to imply that GlobalMaxTcpWindowSize should do it since the OS should enforce this on the app. Do you know what units the variable uses? that website indicates that the default is a gig, so it may be measured in K or M, just a thought. rgds Marc s vermill wrote: Marc Thach Xuan Ky wrote: Are you trying to make the window smaller? rgds Marc Yes. I was hoping to set up a demonstration on the impact of high bandwidth*delay product networks without actually having a high bandwidth*delay product network. By artifically enforcing a small rcv window, I should get about the same result. Thanks Marc, Scott s vermill wrote: On a W2k machine, I've tried several different recommendations for adjusting the TCP receive window size. None of them, including those directly from Microsoft, seem to have any impact. I'm capturing my own traffic and my advertised window is always in the 64k range. I've tried editing the \tcpip\parameters to include 'TcpWindowSize' and 'GlobalMaxTcpWindowSize' - neither of which had any effect. I've tried editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no effect. Anyone know how to manipulate the rcv window that my machine will advertise. For that matter, what about the other MS OSes? XP? Win98? Thanks all, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59416t=59400 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Perhaps O/T: Window TCP Rcv Window [7:59400]
Richard, that looks like a gem! We should all have one of those. Thanks, Marc Larkin, Richard wrote: A much much much easier way is to use a PC, load the dummynet image on a floppy disk, then in about 5 minutes with the right configuration, you have a simulated WAN, including bandwidth and delay. Dummynet works on FreeBSD or, as we do, you can download the version that fits on a floppy and boot from it. We use it to teach our application developers the hard lesson that not everyone has 100Mbps link to the servers, most sites have 64kbps. Rik -Original Message- From: s vermill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 18 December 2002 6:40 AM To: [EMAIL PROTECTED] Subject: Re: Perhaps O/T: Window TCP Rcv Window [7:59400] Marc Thach Xuan Ky wrote: Are you trying to make the window smaller? rgds Marc Yes. I was hoping to set up a demonstration on the impact of high bandwidth*delay product networks without actually having a high bandwidth*delay product network. By artifically enforcing a small rcv window, I should get about the same result. Thanks Marc, Scott s vermill wrote: On a W2k machine, I've tried several different recommendations for adjusting the TCP receive window size. None of them, including those directly from Microsoft, seem to have any impact. I'm capturing my own traffic and my advertised window is always in the 64k range. I've tried editing the \tcpip\parameters to include 'TcpWindowSize' and 'GlobalMaxTcpWindowSize' - neither of which had any effect. I've tried editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no effect. Anyone know how to manipulate the rcv window that my machine will advertise. For that matter, what about the other MS OSes? XP? Win98? Thanks all, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59420t=59400 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Selective NAT [7:59287]
IIRC when you use route-maps you should note that the NAT is session-based (like with twice-NAT) with various consequences: you cannot make new connections into the inside global address without NAPT (PAT) you may use your pool addresses rather quicker than you envisaged rgds Marc The Long and Winding Road wrote: wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Is it possible to use extended ip access-lists for NATing. Basically i want traffic from a particular subnet destined for a particular subnet only to be NATed?? All other traffic should not be NATed. as a follow up - here is an excerpt from the link in the previous message: Route Map Approach The correct way to configure the example in this document is to use route maps. With a route map approach, you would do the following to translate the hosts on 10.1.1.0: ip nat pool pool-108 131.108.2.1 131.108.2.254 prefix-length 24 ip nat pool pool-118 131.118.2.1 131.118.2.254 prefix-length 24 ip nat inside source route-map MAP-108 pool pool-108 ip nat inside source route-map MAP-118 pool pool-118 interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside interface ethernet1 ip address 10.1.2.1 255.255.255.0 ip nat outside access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255 access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255 route-map MAP-108 permit 10 match ip address 108 route-map MAP-118 permit 10 match ip address 118 Cheers Simon Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59314t=59287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Power Cable [7:58614]
Sounds like a standard IEC kettle lead to me. At least here in the UK, thats what they're for, electric kettles. IIRC these plugs are used for temperature-resistant leads, and the notch allows you to use a temperature-resistant lead in any application, but to disallow the incorrect lead in your kettle or other hot object. This may be an indication that your 7000 is going to suck some serious power 8^) In the UK you can get one of these in the local electical store, YMMV. rgds Marc NetEng wrote: I bought a 7000 router off of ebay. It did not come with a power cable and I can not find one for the life of me. I purchased and received CAB-7KAC=, but this cable does not fit. It says on the package thats its a 7500 series AC power cord. On ciscos website its says to order this cable but, again, it does not fit. Below is a layout of the power supply connector. Does anyone know the correct power cable to order (and where) to get it? TIA . The connector is like evey other one (router/monitor/PC) except it has a small ridge between the top prongs. | [] U [] | | | | [] | Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58695t=58614 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: O/T too much time on my hands? [7:57484]
Hi Priscilla, At the end of the slideshow you ask for other methods, well I've got one and it's really easy. Before I start you should note that my emoticons have broken down so you may need to insert your own. Unfortunately my first attempt to implement the method that I'm about to describe was error-prone and gave the answer as 31 triangles. Now, the shape is five-way symmetrical (which indicated that 31 was probably not correct), it's a five-point star with the pointy nodes joined together by extra links. We'll call the five pointy bits distribution nodes, and the five intersections in the middle we'll call core nodes. The area outside the shape is the access area. Now any given triangle can have either 3 distribution, 2 distribution / 1 core, 1 distribution / 2 core, or 3 core (except that the core isn't meshed so this is zero). We will abbreviate these types as 3D, 2D/1C, 1D/2C, and 3C because we like jargon. Inspection also shows that the 3D types can be subdivided into long triangles and fat triangles (3LD and 3FD) 2D/1C types can also be subdivided, into adjacent D's and non-adjacent D's (2AD/1C and 2ND/1C). With me so far? Good because we now subdivide the 2AD/IC into three subtypes: straight down, hanging left and hanging right (2AD/1Cbis, 2AD/1C(L) 2AD/1C(R)). Anyway all told we now have eight categories of triangle, we can count each category (please don't count the 3Cs during your leisure time). So by breaking the problem down this way, it is easier to count and thus much quicker to implement. In fact we now just have to count from one to five several times. Of course if we employed a project manager the probleem could be shared between seven triangle-counters working in parallel. This could bring the end-date in by a full ten percent. Disclaimer: Note that if working in a quality-assured environment you will need eight triangle-counters. The 3C type cannot be assumed to have no triangles. Time-savings shown are for example only and cannot be guaranteed. Just to close, there is a further refinement of the technique. Because the shape is five-way symmetrical, you in fact only have to count to one, what could be more straightforward than that? This has the added benefit of enabling the project to be broken up into even smaller and more manageable tasks. One more thing, perhaps it's a trick question. All nodes may run STP so all loops are removed, hence the correct answer could be zero. BTW if you were wondering about the access area, it's not actually relevant. rgds Marc TXK Priscilla Oppenheimer wrote: I added a Topology Troubleshooting Puzzle to my Web site. It's not Cisco-specific. Well, to be honest, it's not even networking specific! ;-) But it does make you think and wonder how you could be so blind, if you're like me when I first did it. Be sure to actually try it before going on to the solution. OK, is that enough filler? The URL is here: http://www.troubleshootingnetworks.com/triangles/index.htm Offline, let me know what you think (if you have my address, which I can't publish due to commercial unsolicited e-mail.) Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57502t=57484 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: build tcp/ip on PC serial port [7:56885]
Hi Cable, A normal PC serial port is async, as in U.Async.R.T, so will not connect to standard sync cisco port. If you really want to run sync then yes, you will need a sync port on the PC but this is minority interest hardware and will not be cheap. Try manufacturers such as Eicon. I would expect a sync serial card to have IP software available but then I've never done it myself. Where is this technical requirement coming from? rgds Marc TXK Cable Guy wrote: Ah, you want remote access. You want to let the PC join the network even though it's connected via its serial port. That's very doable. It used to be pretty common for PCs to connect that way in the olden days. Check out the Cisco docuemntation on terminal services or access servers. Or maybe somebody can just tell you how to do it. Someone who has recently studied BCRAN could help maybe? I am talking about ppp over serial (BCRAN topic) but not remote access with modems, aux ports, or asynch ports. Take a standard back to back router1 serial0 to router2 serial0, each with configured IPs. Keep this picture in mind, but replace one of the routers with a PC. Back to back WAN connection from PC to router's serial0. I think finding a serial port with a driver that allows tcp/ip to bind on it, is the correct way to describe the obstacle here? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57044t=56885 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: build tcp/ip on PC serial port [7:56885]
Am I being thick or something, isn't this what Windows dial-up networking is for? or *NIX pppd? Alternatively, what about some pre-MS stack for Windows or DOS ?8^) rgds Marc TXK Cable Guy wrote: The fact that you can dial into the Internet is more proof that you can run TCP/IP over the PC's serial port. Hmm, why do people need proof of this? Maybe I should read the archives. Tcp/ip can be bound to anything. Build an interface that sends electrical signals down two thin water streams, code a driver, and you can bind tcp/ip to water. Anyway, that USB pdf link site is down and I can't access it now. I see there are some USB network hubs. Do these work with only USB network machines? Hmm, these could be slip/ppp then. An entire hub of slip/ppp...I wonder. The ones that interface directly with rj-45 are no hope. I wonder even if the signal actually coming out of the USB port is slip/ppp framed, then converted outside, or just straight ethernet framed off before exiting USB port. I do see some USB network card implementations are just a plug into the USB port with no wires exposed, and a rj-45 plugin dongle like thing. I guess I need one with wires exposed to cut into them, and with slip/ppp. Surely there is a serial card with boundable driver out there somewhere? Help. _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56984t=56885 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Was Re: build tcp/ip on PC serial port [7:56885] now OT [7:56999]
Dom, please don't embarrass me on-list, I was pretending not to know you! I was actually thinking of Ice, but then I'm really old. I don't have time for video anyway, not now I've discovered cisco certification. Marc [EMAIL PROTECTED] wrote: Hi Marc, You mean something like Trumpet mate? BTW, how do you program your video? Have you ported QNX to it yes? Regards, Dom Stocqueler. Marc Thach Xuan Ky cc: Sent by: Subject: Re: build tcp/ip on PC serial port [7:56885] [EMAIL PROTECTED] 06/11/2002 10:39 AM Please respond to Marc Thach Xuan Ky Am I being thick or something, isn't this what Windows dial-up networking is for? or *NIX pppd? Alternatively, what about some pre-MS stack for Windows or DOS ?8^) rgds Marc TXK Cable Guy wrote: The fact that you can dial into the Internet is more proof that you can run TCP/IP over the PC's serial port. Hmm, why do people need proof of this? Maybe I should read the archives. Tcp/ip can be bound to anything. Build an interface that sends electrical signals down two thin water streams, code a driver, and you can bind tcp/ip to water. Anyway, that USB pdf link site is down and I can't access it now. I see there are some USB network hubs. Do these work with only USB network machines? Hmm, these could be slip/ppp then. An entire hub of slip/ppp...I wonder. The ones that interface directly with rj-45 are no hope. I wonder even if the signal actually coming out of the USB port is slip/ppp framed, then converted outside, or just straight ethernet framed off before exiting USB port. I do see some USB network card implementations are just a plug into the USB port with no wires exposed, and a rj-45 plugin dongle like thing. I guess I need one with wires exposed to cut into them, and with slip/ppp. Surely there is a serial card with boundable driver out there somewhere? Help. _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56999t=56999 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Study group:UK [7:56900]
Hi Greg, Where about in London are you? I'm in SE14 and would certainly be interested in forming a local group. rgds Marc TXK [EMAIL PROTECTED] Greg Nathan wrote: Hi Anyone in London, UK want to form a study group where we can bounce around a few ideas and lab practise strategies? I have a fully kitted lab with 7 routers with voice, 2 switches, ISDN simulator etc. I am based in London, would prefer something a little less virtual if possible. Lemme know. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56910t=56900 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Getting slightly back on Topic - VOTE [7:56758]
Priscilla Oppenheimer wrote: What will it be when we're old geezers that we won't get? There will probably be some technology that the young people all get that we will be clueless about. I won't like that. ;-) Wot? do you mean you can you work the video? rgds Marc TXK Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56946t=56758 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: router boots in to rommon [7:54591]
Hi, I had a very similar message, I changed the cache and main RAM, but I just got different error messages. I concluded that I had a bad backplane. However, I swapped around the NP modules, and it's been working fine since rgds Marc nettable_walker wrote: Thank you I already swapped memory once, but I will try it again. Kim Graham wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Check your flash for crash info files. You can read through these and or download them to add to your TAC case. You have a memory error and may need to swap out a stick of memory. Searching Cache Error Exception 4700 and Cache Parity Exception 4500 separately gives you many links that will help you to understand what is happening. You do not need a CCO account to do this search. Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54636t=54591 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why does IOS only allow ICMP granularity on destination [7:42609]
The ICMP type specified is not related to either source or destination address. It is not like a port, it is just the type of frame. You could ask why the syntax is not: permit icmp echo any any It just isn't, possibly for historical reasons, maybe just arbitrary. More to the point, why do cisco bundle together type and code into one descriptor, such as the ridiculous *packet-too-big* keyword? rgds Marc TXK Anthony Pace wrote: for instance : access-list 101 permit icmp any host 207.122.1.5 echo access-list 101 permit icmp host 207.122.2.3 any echo-reply but not access-list 101 permit icmp any echo-reply any Anthony Pace Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42609t=42609 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Using a Router to redirect IP traffic [7:42217]
Hi Trevor, Assuming that your servers have unique public IP addresses and you can get a small new address space from the colocation provider (for use as a NAT pool) then this would be technically feasible using twice-NAT. However, you would be paying your current colo provider for twice the bandwidth that you already consume plus your new provider. You would add hops, delay, packet loss, and complexity. If you do not have at least one spare server (assuming similar platforms) then you will require downtime whne you move each server anyway, so you could change the DNS entry then. Note that you must lower the TTL of DNS entries so as to let cached records expire in time for the change. Note also that if all traffic is web, then you might like to consider HTTP redirection as a technique in case your current DNS TTLs are already too long. rgds Marc Trevor Jennings wrote: Hello, Where I work, we have a number of servers being co-located at one location and are planning on moving those servers to another co-location provider soon. My boss asked me why we could not, when we move the servers, just place a router at the original ISP to redirect all traffic from the original ip's to the new ip's rather than having duplicate servers or adjusting the DNS at the same time. I told him that I wasnt sure whether it was possible and was told by a friend that its not really possible to do that. Can anyone confirm that or rather explain why that is not possible? My Boss's theory was that we would have a router with 2 ethernet ports and redirect the original ip's to the new ip's through the second ethernet. Cheers, - Trevor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42223t=42217 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL - Let's put some numbers on... [7:41738]
Some time ago I was messing about with a 3640 and IIRC I measured about 70k pps (unidirectional traffic) with no acls. An acl where the traffic was permitted on the first line dropped it to about 55k pps. Pushing the permit acl lines down the list dropped another approx 1% throughput for each line processed. The IOS was probably 11.2. rgds Marc Ole Drews Jensen wrote: My first line of defence is a 3620, and I am using and ACL on the outside interface for incoming traffic, trying to stop some of 'bad' traffic before it continue to my firewall. I know how to design the access-list so the most often received traffic is checked first, and so on, and I know that I should keep it as simple as possible and not creating a huge access-list with 100's of lines. However, it got me wondering. How much does it slow down the incoming traffic everytime I add a new line to my access-list. This is a very hard question to answer though, because if created well, most traffic should be filtered out before halfway through the access-list, and I guess it also depends on the speed of the processor. If we look at the 3620, it has an 80Mhz RISC processor, so if can someone give me a result here? If we have a full T1 fully loaded with incoming traffic. How long delay would there be per line-to-be-checked in an ingoing extended ACL? Thanks for your comments... Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42233t=41738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Riddle [7:41491]
The last time I looked, a Cisco router would send an ICMP administratively unreachable message when an access list blocked a packet. What the source host does with that is not up to the router. Marc Dimitris Vassilopoulos wrote: Team, I was wondering Is it possible to make a router respond to an access-list blocking, using a custom-made user defined phrase? For example, if we deny telnet from a host we need to reply to him Access-list blocks incoming telnet... ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=41579t=41491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: A little help in the right direction [7:41500]
Joel, Start with a management summary which includes a statement that it will save your business X thousand creds per year, recouping capital and manpower implementation costs within Y months. Then write a load of blurb to prove it. Job done. Remember to think business, not technical, and that at the moment, only you know why it should be done. rgds Marc Joel Panetta wrote: Can anyone point me in the right direction to implement a pros and cons document for a back bone and infrastructure upgrade? we have a Catalyst 5000 back bone I want to push to 6509 with redundancy but have to put it all on paper. Thanks Joel Panetta - CCNA, MCP Network Engineer - Anda, Inc 954-217-4797 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=41584t=41500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Signature for blocking telnet to SMTP server [7:41565]
Timing was my first reaction, but this whole thing may not be a good idea anyway. If you cannot stop the TCP connection establishment, then blocking further access is pretty futile. Anyone who can telnet to you could also put up an SMTP server of their own or script a session. I think that refusal of connections on mailservers is generally at the application layer based on source IP address, by address range and/or DNS PTR record lookup. There are lists of dialup IPs and also various email blacklists, see http://mail-abuse.org. It doesn't seem very scientific or rigorous but if you have a public SMTP server then it's public. At least that way your server gets to tear down the TCP session. rgds Marc Priscilla Oppenheimer wrote: When people Telnet to SMTP server, what do they then do? Do they manually send the normal SMTP commands? Sorry, if that's a dumb question, but I'm just trying to figure out the situation. If they are not Telnetting in order to send ordinary SMTP commands (HELO, RSET, RCPT, DATA, etc). then of course, you could recognize them because by what they aren't doing. Let's say they are sending ordinary SMTP commands. Would it be possible then to recognize this by the timing? Even the fastest typist can't send those commands as fast as e-mail software can. That's my $0.0010. Please do answer, though. I'm trying to learn more about this curious thing of Telnetting to ports other than 23. Priscilla At 02:51 AM 4/16/02, Cisco Breaker wrote: Hi, Is it possible to block telnet to SMTP server from port 25 with IDS. I want to create a custom signature for this but I don't know how this can be done. If I write a signature beginning with hello it will block all mail traffic because all of them starts with hello as I know. And are there any resources that tells how to write a custom signature. We are using CSPM 2.3.3i. Any help will be appreciated. Best regards, Cisco Breaker Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=41668t=41565 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what does 0 in 0Xnnnn mean? [7:40372]
I guess then when you are writing a parser for a compiler then it helps if all numeric constants start with a numeric. Marc Wes Stevens wrote: We need to find an old ibm'er for that answer I think. I know that 0x has been used on ibm systems since before cisco made it's first router. From: Priscilla Oppenheimer Reply-To: Priscilla Oppenheimer To: [EMAIL PROTECTED] Subject: Re: what does 0 in 0X mean? [7:40372] Date: Wed, 3 Apr 2002 17:22:17 -0500 I think editors like to thrown in leading zeros. For example, you will notice that they never let you get away with saying something like .534. It has to be 0.534. Supposedly that's easier to read. I didn't know octal was 0d. I bet they had to do that because of the other rule that you have to start with 0. 0o or 0O would be too hard to parse if they were to use o or O for octal. ;-) Priscilla At 04:40 PM 4/3/02, John Neiberger wrote: I think the question is what does the '0' specifically refer to? We know that 0x indicates hex, but I'm guessing he's asking why we don't simply use x instead of 0x, or d for octal instead of 0d. Speaking of that, why is octal 0d? I'd think that 'd' should mean decimal. John Persio Pucci 4/3/02 2:16:55 PM That indicates that the notation in use is hexadecimal for the registry number i.e. 0x2102 set the registry bits to 110010 Persio - Original Message - From: Jeffrey Reed To: Sent: Wednesday, April 03, 2002 5:12 PM Subject: what does 0 in 0X mean? [7:40372] Here s a good question an intern asked me and I couldn t even make-up an answer I was working with him showing how to recover a password and we were changing the confreg setting. He asked what the leading 0 before the X represented. I m not sure any help from the group is appreciated. Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 Priscilla Oppenheimer http://www.priscilla.com _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40456t=40372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT overlapping example....Does not work? [7:38838]
I just tried this and it worked OK, but it needed a default route to the outside. I also tried it making the inside network routed rather than connected, and it still worked. I think that IOS 11.2 and earlier won't work. You have to set up a translation from one direction before you have a pool address that you can ping from the other direction, because both ways are dynamically mapped. rgds Marc Cisco Nuts wrote: Hello, Does anyone know of any links or examples for NAT overlapping? I tried to use the one in the CCNP Remote Access Support Book exactly as it was shown but looks like the author might have missed somethingas it's not working...Basically pings don't work. Thank you. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39591t=38838 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT Order of Operation [7:38021]
I have to eat my words in public! I just had a go (IOS 12.0) at the overlapping NAT example from the Cisco BCRAN book, and after minor mods, the config worked like magic. The outbound packets were indeed routed before the destination address was known, incredible. Marc Marc Thach Xuan Ky wrote: John, I have never had great faith in that page. Taken literally, since outside to inside packets are NAT'd before routing, it means that if you have more than one outside interface, then a packet bound from one to the another will get translated twice. If there was not an existing suitable mapping then that would then imply that the inbound packet would be dropped. Now i haven't tried this, so I don't know whether it happens or not, but if it were the case, I'm sure somebody would have complained by now. If it doesn't happen then the page does not correctly describe the operation. The flip side of that situation is that with a twice-NAT configuration a packet bound inside-outside is routed before the router knows the actual (translated) destination address. How can that be? I haven't done that much with NAT since 11.2, but I have seen twice-NAT configurations where a ping has gone through and been replied to OK but when a debug was running, five translations occurred instead of four, I can't remember what the extra one was. I have also seen a case where an inbound access list was inspected both before and after translation. Now I understand that the NAT code has been rewritten since then but my early experience with Cisco NAT has left me somewhat sceptical. Marc John Neiberger wrote: Someone just posted something on the CCIE list and while researching the answer I found this page: http://www.cisco.com/warp/public/556/5.html After looking at that page, it appears to me that it's safe to say the if you're in an environment that uses both NAT and Policy-Based Routing, the IP addresses you use in the policy maps are _always_ local addresses, either inside local or outside local. Is that correct? It seems that it would never be the case where you'd use an outside local or outside global address within a route map. Is that a true statement? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39588t=38021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco's pps claims [7:38956]
I don't really know what the overhead of that specific stuff is, but it's all part of a packet coming up the stack to the routing layer, and it has to be done per packet, so packet size is irrelevant to that. Using traditional routing techniques such as process or fast switching, the packet will be decapsulated to IP regardless of the underlying layers. I imagine that most of the framing work is done in hardware. Marc John Green wrote: the routing decision consumes the bulk of the CPU bandwidth, shovelling the rest of the packet through is low-overhead. say a router connects a between ethernet and Frame Relay or between two dissimilar Layer2 networks. Then the router would be stripping off one networks' layer2 frame and replace it with the layer2 frame of the other network where the packet is to be sent. Would you call this low-overhead as well ? I guess your example would be if the router were to connect between same Layer2 networks ie say both networks are ethernet. right ? just want to make sure... --- Marc Thach Xuan Ky wrote: Sam, I think the question is: what is your average packet size? Using process or fast switching I should think that the packet size is almost irrelevant to the router. I have benchmarked many PCs and NICs running certain routing software. On a PCI bus PC the pps difference between 64 and 1518 octet frames was in the order of ten to twenty percent, i.e. the routing decision consumes the bulk of the CPU bandwidth, shovelling the rest of the packet through is low-overhead. Marc sam sneed wrote: I noticed Cisco uses pps when they give their specs for routers, firewalls, etc. What is the assumed packet size when they come up with these specs? I'm planning on using 2 2621's in HSRP mode (getting default routes via BGP) and need to be able to support a constant 10 Mb/sec and would like know if these routers will do the trick. thanks [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards. http://movies.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39017t=38956 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: nat pool problem [7:38872]
Have you got a route to the pool? Marc george wrote: I having problems staticaly translatinga server to the outside world , bu= t looking at my config is their somthing im misssing=0D =0D =0D ostname Router=0D !=0D logging buffered 8192 debugging=0D enable secret 5 $1$D7U1$YMuIAg0B3iJtwD0vt0ZWn0=0D !=0D username Router password 7 097C4F1A0A1218000F=0D !=0D !=0D !=0D !=0D !=0D dial-peer voice 1 pots=0D call-waiting=0D ring 0=0D port 1=0D destination-pattern 6688594=0D !=0D dial-peer voice 2 pots=0D call-waiting=0D ring 0=0D port 2=0D destination-pattern 6688549=0D !=0D pots country US=0D !=0D ip subnet-zero=0D no ip source-route=0D !=0D isdn switch-type basic-ni=0D !=0D !=0D !=0D interface Ethernet0=0D ip address 192.168.9.102 255.255.255.0=0D ip access-group 121 in=0D no ip proxy-arp=0D ip nat inside=0D !=0D interface BRI0=0D no ip address=0D encapsulation ppp=0D dialer pool-member 1=0D isdn switch-type basic-ni=0D isdn spid1 95666885940101 6688594=0D isdn spid2 95666885490101 6688549=0D isdn incoming-voice modem=0D ppp authentication chap pap callin=0D ppp multilink=0D !=0D interface Dialer1=0D description ISP=0D ip address 66.85.189.9 255.255.255.248=0D ip access-group 121 in=0D no ip proxy-arp=0D ip nat outside=0D encapsulation ppp=0D no ip split-horizon=0D dialer remote-name Cisco1=0D dialer pool 1=0D dialer idle-timeout 2147483=0D dialer string 9840559 class DialClass=0D dialer hold-queue 10=0D dialer load-threshold 1 either=0D dialer-group 1=0D pulse-time 0=0D ppp authentication chap pap callin=0D ppp chap hostname loopcold=0D ppp chap password 7 04560807032D4940=0D ppp pap sent-username loopcold password 7 09414D081509121C=0D ppp multilink=0D !=0D ip nat pool ISPNATPool 66.85.189.11 66.85.189.14 netmask 255.255.255.248=0D ip nat inside source list 18 pool ISPNATPool overload=0D ip nat inside source static 192.168.9.101 66.85.189.10=0D no ip http server=0D ip classless=0D ip route 0.0.0.0 0.0.0.0 Dialer1=0D !=0D !=0D map-class dialer DialClass=0D dialer isdn speed 56=0D access-list 18 permit 66.85.189.8 0.0.0.7=0D access-list 121 deny udp any eq netbios-dgm any=0D access-list 121 deny udp any eq netbios-ns any=0D access-list 121 deny udp any eq netbios-ss any=0D access-list 121 deny tcp any eq 137 any=0D access-list 121 deny tcp any eq 138 any=0D access-list 121 deny tcp any eq 139 any=0D access-list 121 permit ip any any time-range TIME=0D dialer-list 1 protocol ip permit=0D !=0D line con 0=0D exec-timeout 120 0=0D transport input none=0D stopbits 1=0D line vty 0 4=0D exec-timeout 0 0=0D password 7 082F435A0809041E1C=0D login [GroupStudy.com removed an attachment of type image/gif] [GroupStudy.com removed an attachment of type Image/jpeg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38913t=38872 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: clock rate [7:38908]
1. Because its 64000 bps, built by humans, not computer memory. 3. huh? Note that if you earn 50k you will get 5 (less tax) Marc Ellis Lam wrote: Two Qs, 1. in FR, when we specify clock rate for 64k, we use clock rate 64000, why not 64 x 1024 = 65536 ? and for 1.544 mbps, we use 148000, why not 1.544 x 1024 x 1024 ? 2. in OSPF, when config a loop back interface with address 128.10.10.10/24 and in other router, we can see the rout to 128.10.10.10/32 ?? but if we config an ethernet interface, it is 128.10.10.10/24, any reason ?? or simply the behaviour in OSPF ? Thanks Ellis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38915t=38908 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT questions-will overlap occur? [7:38764]
Hi Tong, I said that you have the same network on both sides of the NAT router because the pool is a network, and in this case it is an inside pool so exists on the inside . Sorry about this, but I had another look at your mail and the second type of NAT is not twice-NAT like I said, but overloaded NAT which is sometimes called NAPT or PAT (Network Address Port Translation is the RFC-compliant term). One important difference is the NAPT will not easily allow inbound connections. I've now seen the example referred to by Cisco Nuts in another post. I can't see how that can work at all. My policy with any single-stack NAT device is to avoid an overlap. Q1. ans. If I understand you correctly, the question is about routing within the outside network to the NAT router. I don't know. Maybe the router is doing proxy arp for pool addresses when there's an overlap? I take it that the configuration is currently working, is that right? Q2. ans. Again, this is about routing within the outside network, which may not be in your control, therefore the exchange is dictating the terms here. Q3. ans. I don't know whether you can use the same IP address for the pool and the interface with IOS. Why not try it? This overlap thing is beginning to puzzle me and I thought I knew a lot abot NAT, I can't see how it works, but you seem to be saying that it is working for you. I need to switch my routers on and have a further look. rgds Marc Sim, CT (Chee Tong) wrote: Hi Marc and dear all, You cannot have the same network on both sides of the NAT router. Why you said that I had same network on both side of the NAT router? I have 50.100.165.X and 192.168.3.X on both side of the NAT router. interface Ethernet0 description Interface facing Financial Service Provider ip address 192.168.3.1 255.255.255.0 ip nat outside interface Ethernet1 description Interface facing Rabobank (Trusted) network ip address 50.100.165.240 255.255.255.0 ip nat inside ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 ip nat inside source list 1 pool XXY I am not the one who configured this NAT router previously. Q1)what I don't understand is when we establish the connection from 50.100.165.50 (for eg) to 192.168.3.50(for eg). The source IP will change to 192.168.3.111 (for eg) after it pass thru the NAT router and reach the destination 192.168.3.50. When it replies back the source IP is 192.168.3.50 and the destination IP is 192.168.3.111. How do the packet know it have to go to Ethernet0 of the NAT router, as the IP of NAT router's Ethernet0 is 192.168.3.1 not 192.168.3.111. Q2) Normally I would want to use a NAT pool that was not present on either side of the router. Yes, I saw this on my book as follows Ip nat pool ovrld-nat 172.16.2.2 172.16.2.2 netmask 255.255.255.0 Ip nat inside source list 1 pool ovrld-nat overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface serial0/0 ip address 192.168.3.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255 OK, I understand this, whenever the packets from 10.1.1.X network go out, the source IP will all become 172.16.2.2, but what the packet got reply, the destination will become 172.16.2.2, How the hell the packet know it should go to serial0/0, as its IP is 192.168.3.1 not 172.16.2.2. Unless, there is a route added in the target host. But how can expect to add the route entry in all the hosts. Q3)I did NAT with checkpoint firewall for my internet access, my firewall has two IPs 50.100.100.1 (internal) and 200.100.100.64 (external). I configured it in such a way that all the outgoing packets's source IP become 200.100.100.64 after passing thru firewall and it works as I think the replying packet the destination will be the firewall's external IP. Can we configured the same thing with my cisco router as shown below. Ip nat pool ovrld-nat 192.168.3.1 192.168.3.1 netmask 255.255.255.0 Ip nat inside source list 1 pool ovrld-nat overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface serial0/0 ip address 192.168.3.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255 Will it works? -Original Message- From: Marc Thach Xuan Ky [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 8:49 PM To: Sim, CT (Chee Tong) Cc: [EMAIL PROTECTED] Subject: Re: NAT questions-will overlap occur? [7:38764] Hi Tong, The second method you use is twice-NAT, both source and destination addresses are converted. This does not work well on Cisco routers unless all NAT entries are defined statically. This is sometimes a good policy anyway where there are only a small number of known connections, which is often the case when connecting to exchange feeds for instance. You have an address clash. Note that a NAT router has only one IP stack and one
Re: NAT questions-will overlap occur? [7:38764]
Hi Tong, I've reread the BCRAN book. The example given of NAT overlap is when the two real network spaces overlap, not when a pool overlaps with the real space. I still don't see how this can work. Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38932t=38764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco's pps claims [7:38956]
Sam, I think the question is: what is your average packet size? Using process or fast switching I should think that the packet size is almost irrelevant to the router. I have benchmarked many PCs and NICs running certain routing software. On a PCI bus PC the pps difference between 64 and 1518 octet frames was in the order of ten to twenty percent, i.e. the routing decision consumes the bulk of the CPU bandwidth, shovelling the rest of the packet through is low-overhead. Marc sam sneed wrote: I noticed Cisco uses pps when they give their specs for routers, firewalls, etc. What is the assumed packet size when they come up with these specs? I'm planning on using 2 2621's in HSRP mode (getting default routes via BGP) and need to be able to support a constant 10 Mb/sec and would like know if these routers will do the trick. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38983t=38956 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT questions-will overlap occur? [7:38764]
Hi Tong, The second method you use is twice-NAT, both source and destination addresses are converted. This does not work well on Cisco routers unless all NAT entries are defined statically. This is sometimes a good policy anyway where there are only a small number of known connections, which is often the case when connecting to exchange feeds for instance. You have an address clash. Note that a NAT router has only one IP stack and one routing table. You cannot have the same network on both sides of the NAT router. In your case it might be possible to use a /25 mask and use .129-.254 for the pool, however, I would not recommend this without further information from you. Normally I would want to use a NAT pool that was not present on either side of the router. Is there a reason that you are using that pool anyway? Is this dictated by the provider, or are they happy to route to a network that you specify? You need to know how many servers will be contacted within the financial services provider, and how many clients on your network, also which way is the connection made? Is it a persistent connection? Is there any name resolution across the router? rgds Marc TXK Sim, CT (Chee Tong) wrote: I found my previous administrator configured the following NAT for my router (shown below). Our network is in 50.100.X.X and we need to contact a workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why he defined the source pool to be from 192.168.3.101 192.168.3.240 interface Ethernet0 description Interface facing Financial Service Provider ip address 192.168.3.1 255.255.255.0 ip nat outside interface Ethernet1 description Interface facing Rabobank (Trusted) network ip address 50.100.165.240 255.255.255.0 ip nat inside ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0 ip nat inside source list 1 pool XXY ## Q1)But, when I show IP nat trans. I saw the following, I understand the first two, but not line 3. the 192.168.3.118 should be the source address of returning packet, what is 192.168.3.119 ? RBFW2514#sh ip nat trans Inside global Inside local Outside localOutside global --- 192.168.3.117 50.100.165.81 --- --- --- 192.168.3.118 50.100.165.210--- --- --- 192.168.3.119 192.168.3.118 Q2)I understand there is another kind of NAT which work like the following. Inside global Inside local Outside localOutside global 192.168.2.2:1234 10.0.0.1:1234 172.21.3.1:23 192.168.2.2: 10.0.0.2: 172.21.3.2:23 192.168.2.2: 10.0.0.3: 172.21.3.4:23 What is the difference these method. I think both NAT can work. Why we don't use these one? Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use the same port . There will be 2X 192.168.2.2: in the inside global. Will be 192.168.2.2: have problem identify which to be NAT back to 10.0.0.1 or 10.0.0.2. Thanks a lot Tong == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38771t=38764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT with printer [7:38781]
Have you disallowed the printer address with an acl for the pool? Marc Zolla Zimmerman wrote: Hi All, I really have a problem. I have enabled NAT on the router. I am able to reach all PCs but the printer. Here is the senario: 192.168.1.0192.168.3.0 | | | | --Router1-Router2-- | | 192.168.3.252 (Printer) 1. We have enabled NAT on router2 to translate 192.168.3.0 0.0.0.250 to a pool 192.168.8.0 2. Enabled static NAT for printer to 192.168.8.252 Please help Zolla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38800t=38781 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: HELP !! CCIE 2B or NOT? [7:36542]
I was under the impression that some asian countries used the numerically consistent notation y/m/d :-) This of course demonstrates that the world is a big place with many different outlooks. We should be able to accomodate them all and Tim is therefore free to put whatever sig he likes at the bottom of his mails. rgds Marc Tom Lisa wrote: Everywhere except U.S. civilian usage. U.S. Military uses day/mo/yr format. At least it did when I was a member 20 years ago. Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco ATC/Regional Networking Academy [EMAIL PROTECTED] wrote: european-format? I thought it was everywhere except the US format! ;-) JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 28/02/2002 01:47 pm - Steven A. Ridder Sent by: [EMAIL PROTECTED] 28/02/2002 12:26 pm Please respond to Steven A. Ridder To: [EMAIL PROTECTED] cc: Subject:Re: HELP !! CCIE 2B or NOT? [7:36542] Australia uses european-format time as well? -- RFC 1149 Compliant. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... However if you do this I suggest you use a less ambiguous date format - my first reaction is oh, so you did the lab in January - but did you pass?? JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 28/02/2002 10:57 am - Jeff Buehler Sent by: [EMAIL PROTECTED] 28/02/2002 09:29 am Please respond to Jeff Buehler To: [EMAIL PROTECTED] cc: Subject:Re: HELP !! CCIE 2B or NOT? [7:36542] Perhaps it would be more appropriate to put your lab date instead of the CCIE Written if you want to demonstrate where you are in your pursuit...for example. CCIE R/S LAB 6-1-2002 RTP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38244t=36542 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT concepts [7:37815]
As far as I can tell this is another one of those Cisco quirks. Unless Cisco plan for the future a mechanism whereby the route to the NAT pool is dynamically advertised, then the subnet mask has no *real* function. IMO while routes to the pool are statically defined and then redist, it remains a mere annoyance. rgds Marc saleem bilal wrote: Dear Paul: according to my perception:when we have a pool of addresses hired from certain operator/internic we configure it to be used statically or through NAT.we may not need to use all IP addresses for nAT lonely but some of them can be used for static trans.thats why we describe the start IP abbresses and end ip Address.NAT function should know the subnet mask coz when a packet from private addresse comes in it is translated thru NAT with subnetmask attached .Subnetmask in this case will help the routing of the packet when it comes back to the oronating system through different routers.Plus in all IP address scenarios we need to mention IP adress with mask as router do the AND operation to extract original IP address.It would not have been possible for any router in the path to extract orinal network without having subnetmask i hope u understand whay i m saying Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37844t=37815 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2500 flash memory SIMMs don't work [7:37586]
A couple of months ago I bought some (non-approved) 8M flash for c2500 for $76 per SIMM (ouch). I couldn't write to them. I have now upgraded to bootrom version 11.0(10c)XB2. I still can't write to them. The SIMMs are marked SMART SM73228XV1CAVS0. Does anybody know whether these modules should work? The vendor is a bit unresponsive. rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37586t=37586 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Reverse Telnet SW for PC? [7:37246]
Have you tried Linux? Marc Johan Hjalmarsson wrote: Does anybody know if there's any software out there to turn a PC into a Cisco 2509? What I need is the abillity to telnet to the PC and get the telnet traffic redirected out a COM port, just like reverse telnet in the Cisco. One solution is of course to get a 2509, but for the moment my budget woun't let me :-( and I've already got a PC with 8 COM ports. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37248t=37246 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bit / bytes [7:36562]
Bytes are not part of the OSI model until at least the presentation layer (I can't remember whether there is an ASN1 byte datatype). Comms engineers talk about octets but note that by the time we get down to layer 2 we start to encounter techniques such as bit-stuffing, so a frame may not even have a multiple of eight bits in it. So from this we must assume that there is no conversion from bits to bytes or vice-versa. rgds Marc Pierre-Alex Guanel wrote: This is clear. Thank you! Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Tuesday, February 26, 2002 8:27 PM To: [EMAIL PROTECTED] Subject: Re: Bit / bytes [7:36562] Layer 1 just understands bits. Hardware, in general, understands voltage and no voltage (one or zero). I guess it could understand high voltage and low voltage. In fact, there's even ternary systems that understand high, kinda high, and low. Back in the early days, software engineers got kind of sick of having to deal with long streams of numbers and decided to aggregate them. An 8-bit byte worked out for many systems. (There used to be systems that used a 12-bit byte). So anything that is implemented in software (or software that has become firmware) uses bytes or perhaps nibbles or words. Most NICs that handle data-link-layer processes have some software (driver) or firmware (chip set). Thus, I would say that they deal with bytes or nibbles or words or floating integers or arrays or link lists or symbol tables or at least something of a higher order than voltage being present or not. Priscilla At 07:12 PM 2/26/02, you wrote: Is conversion of bits into bytes and vice versa a function of Layer 1 or Layer 2? I have seen contradictory info. (I would say it is a layer 2 function because Layer 1 is only physical matters like voltage etc... but some one may have a logic to prove me wrong) thanks, Pierre-Alex Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36750t=36562 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35743t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Recursion is precisely what he was concerned about. As you have alluded, there are two roles for a DNS server, cacheing (which requires recursion), and authoritataive. An ISP does not need to publish the addresses of a authoritative nameserver, those addresses are stored in the distributed database and are therefore found naturally. The only reason for publishing an ISPs DNS server addresses to their customers is for use as cacheing servers (often confusingly called resolvers). Whereas using another ISPs DNS cache servers may be technically possible right now because of lax practices, I wouldn't want all my users to be cut off by events beyond my control e.g. when said lax ISP engages a half-decent DNS consultant. Within DNS circles the practice is frowned upon, and it might be held that it is actually criminal in several juridsdictions. My own belief is that running your own cacheing DNS server is almost always the best solution, but then I am biased since DNS is my specialism :-) rgds Marc TXK Priscilla Oppenheimer wrote: At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward
Re: DNS Request Redirection [7:35703]
Tim, If you wish to provide authoritative DNS service from behind a NAT router, then with a Cisco the NAT code contains various ALGs (application level gateway I think) including one for DNS. This ALG translates A records, MX and PTR records where it can. IIRC if it can't then the response is not passed at all (which many people believe is a major issue). So if the DNS server is behind the same NAT boundary as the servers, all well and good, just use the private addresses in the DNS and they'll be translated. However if the DNS server is not behind the same NAT boundary as the servers, then you're stuffed. In DNS circles, the purists don't like all this because this technique is probably not possible to maintain for more complex DNS record types, and I believe it only does UDP, so I guess that it isn't best practice. rgds Marc TXK Tim Booth wrote: Out of curiosity, what is the best practice for someone who has a DNS server on their private network with a private IP address? How would one go about doing this with a router? Is it impossible? Is the best practice/only possibly way to have the DNS server having a public IP address (in a DMZ)? Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 13:16 To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35807t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]